A new program that encrypts files to extort money from users highlights that attackers don't need advanced programming skills to create dangerous and effective ransomware threats, especially when strong encryption technology is freely available.

A newly discovered ransomware threat runs as a batch file and uses the open-source GnuPG program for encryption

By
Lucian Constantin
| 01 Aug 2014

A new program that encrypts files to extort money from users highlights that attackers don't need advanced programming skills to create dangerous and effective ransomware threats, especially when strong encryption technology is freely available.

Researchers from antivirus vendor Symantec recently came across a Russian-language -- for now -- ransomware program of which the core component is a simple batch file -- a command-line script file.

This development choice allows the attacker to easily control and update the malware, said Symantec researcher Kazumasa Itabashi in a blog post Thursday. The batch file downloads a 1024-bit RSA public key from a server and imports it into GnuPG, a free encryption program that also runs from the command line. GnuPG, which is an open-source implementation of the OpenPGP encryption standard, is used to encrypt the victim's files with the downloaded key. "If the user wants to decrypt the affected files, they need the private key, which the malware author owns," Itabashi said. In public-key cryptography, which OpenPGP is based on, users generate a pair of associated keys, one that is made public and one that is kept private. Content encrypted with a public key can only be decrypted with its corresponding private key. The new ransomware threat that Symantec calls Trojan.Ransomcrypt.L encrypts files with the following extensions: .xls, .xlsx, .doc, .docx, .pdf, .jpg, .cd, .jpeg, .1cd, .rar, .mdb and .zip. Victims are asked to pay a ransom of €150 (around US$200) to recover them. What sets Trojan.Ransomcrypt.L apart is not its use of public-key cryptography for encryption -- other threats do the same -- but its simplicity and the fact that the author chose to use a legitimate and open-source encryption program instead of creating his own implementation, which malware authors often do. There are some complex ransomware programs with advanced features that are developed with the primary goal of being sold to other cybercriminals who lack the skills to create their own.

However, Trojan.Ransomcrypt.L is proof that developing ransomware can be done for little cost and without advanced programming knowledge, which could lead to an increase in the number of such threats in the future.